ECM's Role In Compliance

There are more than 45 federal and state document management regulations in place, cutting across most industries in the United States. Those regulations present a plethora of sales opportunities for VARs, because they are both horizontal and vertical in nature. For instance, Sarbanes-Oxley (SOX) and SEC 17-A are horizontal — addressing common compliance issues across many vertical industries. In contrast, FDA 21 CFR Part 11 and the Gramm-Leach-Bliley Act (GLBA) address document management regulations in the life sciences and banking verticals respectively. Although each regulation differs in what type of data is to be protected, each delivers a common message: Companies must protect their data.

Understand How ECM And Compliance Fit Together

“VARs need to understand what business pains are created by government regulations in each vertical market,” explains Steve Stennett, VP of U.S. sales for TOWER Software. TOWER provides EDRM (electronic document and records management) solutions. “VARs also need to understand that technology is only a part of the solution they’re creating for a client. The three ‘Ps’ of process, policy, and people are also important.”

EMC sells its Documentum platform to address document compliance and corporate governance challenges. “VARs must understand how regulations affect an ECM strategy,” adds Lubor Ptacek, director of content management marketing for EMC Software. “Customers often are looking for advice on the regulation itself, and this is where the VAR’s expertise can add significant value by understanding the customer pain points and developing expertise pertaining to the regulations.”

That’s great advice, but how do VARs gain that knowledge? “The ECM industry, with AIIM — The Enterprise Content Management Association — leading the way, is providing an incredibly diverse selection of educational tools,” explains Dan Lucarini, senior director of marketing for Captaris. Captaris provides business information delivery products, with a special focus on compliance. Lucarini continues, “We also advise ECM-focused VARs to form a partnership with a consulting firm that specializes in regulatory compliance processes.” Lucarini’s comments are supported by the fact that many vendors have teamed with compliance specialists (e.g. StorageTek and Delloite Consulting).

Position Data Retention Correctly

“There are three layers emerging in data management,” explains Alan Stuart, chief strategist, IBM Data Retention Solutions. “The first layer is an application where objects are created [e-mail, scanning software, etc.] The second layer is repository management, where objects are indexed within a database. The third layer is the storage repository and the storage management software. The focus of the data retention sale is somewhere between the first and second layers.”

Stuart raises a great point. One of the biggest mistakes VARs can make is to sell the right data retention product to the wrong group within a customer’s business. For instance, it does not make sense to sell a data retention solution to the administrator in charge of the storage system. The sale has to take place at an administrative level — the level that is charged with corporate governance and compliance. In large companies, that will often be the chief compliance officer or the chief security officer.

Healthcare Is A Hotbed For ECM Compliance

“Healthcare and financial services are two examples of highly regulated industries,” says Captaris’ Lucarini. That is understatement. Just about everyone has experienced the sweeping reach of HIPAA (Health Insurance Portability and Accountability Act) at one time or another. At a very high level, HIPAA requires controls for authentication. In any exchange of electronic data, each party to the transaction must prove that every other party is exactly who they claim to be. HIPAA also requires access controls. All medical records must be secured from unauthorized access. Reporting and tracking of data is also mandated by HIPAA. Healthcare providers must log all access, transfers, and use of patient data (including for backup purposes), and audit those accesses, transfers, and uses against patient authorization. Document management is not an option for healthcare providers; it is an absolute necessity.

Show The Business Intelligence Value Of ECM Compliance

Many organizations are forced to implement document management systems to comply with regulations such as HIPAA or SOX. However, there is additional value to be gained from the data collection process. “We are showing customers the value of the data they are collecting,” says IBM’s Stuart. “I am working with a number of casinos in Las Vegas to mine their customer data to provide better, more accurate services.”

For instance, by looking at its customer data, one casino hotel is able to provide desk personnel with customized suggestive selling points based on a customer’s history of spending habits as the customer is checking in. VARs can provide this type of additional value when selling document management solutions — even if the base purpose is to help the customer reach compliance.

“Many organizations are just realizing the value of extending compliance-based systems logic and structure to provide additional corporate governance information,” adds Stennett. “Data mining provides another opportunity for VARs in the ECM space.”

Select Your Entry Point Into ECM Compliance

We have established the ECM compliance opportunity is strong. Now, how do VARs get into this market? “Become a domain expert in one vertical industry niche,” says Lucarini. Many of you may already have that expertise. Lucarini continues, “Then get educated on a crossindustry regulation such as SOX, and become an expert on the document control and records retention section.”

If you’re interested in healthcare compliance, I might suggest joining an organization such as the Health Care Compliance Association (www.hcca.org). VARs interested in the financial vertical might start by visiting www.sarbanes-oxley-forum.com. Those are only two of many good Web resources that exist on regulatory compliance.

“Finding quality vendor partners to work with is crucial in getting started in the ECM market,” advises TOWER’s Stennett. “It is also wise to settle on a niche area of expertise as opposed to trying to be all things to all people. Expert VARs in a market can understand the business problems as well as compliance issues.”

If you’re a storage VAR, ECM compliance seems like a perfect opportunity to add a complementary technology to your portfolio. As an ECM VAR, you may want to consider offering an archival storage product to complement your software and services. IBM’s Stuart agrees. “The sale of content management applications should always accompany the sale of a storage repository.”

EMC’s Ptacek concludes by advising VARs to, “Go after the ECM compliance opportunity. This market is growing faster than most other markets in software, and there is plenty of demand for specialized vertical market expertise.” VARs don’t have to look very long or hard to recognize that ECM compliance provides a target-rich sales environment. l